OTOBO Download

Current version: OTOBO 10.0.12

Find download links to the most recent OTOBO installer packages for the various LINUX distributions and the Docker Image here:

From version 10.0.7 on, we recommend installing via Docker.

OTOBO 10

GitHub

Docker® Image

Manuals

Release News

Read more about the current release in the Release Notes and in our forum.

Security Advisories

Security Advisory 2021-10

Authenticated customer users see company tickets in the Elasticsearch quick search even though DisableCustomerCompanyTickets is activated if they have the same CustomerID.

Criticality: low.
Patched in OTOBO 10.0.12.

Security Advisory 2021-09

Packages from the Docker base image are outdated and contain known vulnerabilities. This Security Advisory only affects Docker systems.

Criticality: Middle.
Patched in OTOBO 10.0.12.

Security Advisory 2021-08

Authenticated agents were able to list appointments from calenders they were not entitled to access (CVE-2021-36091).

Thanks for this hint to Centuran Consulting.

Criticality: low.
Patched in OTOBO 10.0.12.

Security Advisory 2021-07
Authenticated agents were able to list customer emails from tickets they were not entitled to access (CVE-2021-21443).

Thanks for this hint to Centuran Consulting.

Criticality: low.
Patched in OTOBO 10.0.12.

Security Advisory 2021-06
Generated support bundles may contain private S/MIME and PGP keys, if the folder they are saved in has not been not actively hidden (CVE-2021-21440). Thanks for the hint to Julian Droste.

Criticality: Middle (5.2).
Patched in OTOBO 10.0.12.

Security Advisory 2021-05
A vulnerability made it possible for an attacker to use JavaSript injection via a manipulated link or CSRF to create tickets on behalf of a CustomerUser interacting with the manipulated resource, or change their preferences (except the password).
Thanks to hypnguyen1209 for sharing the issue.
Criticality: low.

Patched in OTOBO 10.0.11.

Security Advisory 2021-04
Attackers were able to tap data in the ticket overview by way of an XSS attack using a manipulated email. Thanks to the Znuny team for sharing the issue and providing the fix (ZSA-2021-06; Criticality: high).

A security issue in JQuery-Validate enabled ReDoS attacks (CVE-2021-21252; criticality: low).

Patched in OTOBO 10.0.10.

Security Advisory 2021-03
In psgi-based docker installations, OTOBO admins could access sensitive data. This vulnerability ONLY affects systems, where psgi was exclicitly chosen during installation. Standard installations implemented as described in the documentation are NOT affected. 
Patched in OTOBO 10.0.9.

Security Advisory 2021-02
Survey Module: Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). Risk Level: 3.5 LOW.
Patched in OTOBO Survey Module 10.0.3.

 

Security Advisory 2021-01
Several vulnerabilities in CKEditor. Risk Level: 5.5 MEDIUM.
Patched in OTOBO 10.0.8.

Security Advisory 2020-01
OTOBO uses jquery version 3.4.1, which is vulnerable to cross-site scripting (XSS). Risk Level: 6.3 / 6.5 MEDIUM.
Patched in OTOBO 10.0.5.

Additional features and packages can be found at https://ftp.otobo.org/pub/otobo/packages/ and in the OTOBO Package Administration.

Thank you for your contributions to OTOBO!
Please visit the OTOBO Forum for support, current information, and feedback regarding OTOBO.